Fake website serves fake vpn to steal cryptocurrency

By

The Sonicwall Capture Labs Threat Research team has analyzed a malware purporting to be an installer of a popular VPN software. This is not the first time that malware has pretended to be a VPN installer as we have previously reported here. This time, it mimicked the website of ProtonVPN. Downloaded software from the fake website installs a Trojan once executed.

The fake website looks very similar to the legitimate website.


The Trojan installer which can be downloaded from the now defunct website uses the same icon as the legitimate software and uses the following filename:

Upon execution it peruses through the user’s system to collect information.

Cookies, browsing history, user login data that might have been saved in commonly used browsers like Firefox, Google Chrome, Yandex browser, Comodo IceDragon, Kometa, QIP Surf,CentBrowser, 7Star, Rafotech Mustang, Epic Privacy Browser, among many others, are just some of the data this Trojan collects.

It also tries to steal locally stored cryptocurrency information by searching for commonly used cryptocurrency apps and wallets like Bitcoin ABC, Bitcoin Gold, Exodus, MultibitHD, Electrum and Jaxx.


Encrypted data are then sent out to a remote server.


We urge our users to always be vigilant and cautious when installing software programs particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Dropper.A_3050 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.